Unable to access dumb AP from network

Hi,
I've spent the past two days taking a crash course in this forum, and I owe all of my success so far to it, so thank you!

I have 2 Archer A7 routers:
One router with a main network on VLAN 1 and IOT network on VLAN 3 (call it "router").
The other one is setup as a dumb AP for my main network and IOT network via trunking (call it "AP").
The AP's LAN port 4 (formerly working on the WAN port, but switched it just in case) is connected to LAN port 4 on my router.
Both are properly tagged with the associated VLANs.
AP has interfaces for each VLAN with DHCP server disabled and wireless networks attached, and all is working properly.
Firewall is currently on (although I tried disabling it).
LAN ports 1–3 of the AP are part of their own VLAN 2 on the AP and attached to an interface with a DHCP server, which is how I can connect to the AP itself and configure it (after multiple lockouts and hard resets taught me a lesson).

However:

  1. I am unable to access the AP from my main network (VLAN 1), even though it has a static ip within my subnet.
  2. This is technically a separate issue, but perhaps relevant: I was unable to setup the interfaces in the AP as either unmanaged or DHCP clients, which is supposed to work. When they were setup as either of those, clients connected to it couldn't connect to the internet. Logs showed dhcp packet received on *** which has no address. I had to use static.

I've read through many related posts here, but could not find anything that helped.
Thank you in advance!!

Here is my output to the standard requested commands:

root@OpenWrt-AP:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt-AP",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer A7 v5",
        "board_name": "tplink,archer-a7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt-AP:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd77:0a1b:c144::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '*****'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 5t'
        option vid '1'
        option description 'lan trunk'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2 3 4'
        option vid '2'
        option description 'mgmt'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 5t'
        option vid '3'
        option description 'iot trunk'

config interface 'lan_trunk'
        option proto 'static'
        option device 'br-lan-trunk'
        option type 'bridge'
        option ipaddr '192.168.1.10'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config interface 'iot_trunk'
        option proto 'static'
        option device 'br-iot-trunk'
        option type 'bridge'
        option ipaddr '192.168.3.10'
        option netmask '255.255.255.0'
        option gateway '192.168.3.1'

config device
        option type 'bridge'
        option name 'br-lan-trunk'
        list ports 'eth0.1'

config device
        option type 'bridge'
        option name 'br-iot-trunk'
        list ports 'eth0.3'

root@OpenWrt-AP:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '157'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan_trunk'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option key '****'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan_trunk'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option key '****'
        option disabled '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option key '****'
        option network 'iot_trunk'

root@OpenWrt-AP:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt-AP:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Just quickly scanning your files, I haven't identified all possible issues, but there are a few that jump out...

Notably:

  1. avoid underscores -- you've got one in lan_trunk, This is arguably not a good name for the network interface, anyway, since trunking is not directly related to the network interface. I'd recommend making this simply lan
  2. you've got a line in there that is option type 'bridge' -- this must be removed as it will break the interface.
  3. I'd recommend renaming the br-lan-trunk to simply br-lan

Your iot_trunk network should be renamed iot and it should be unmanaged. It'll look like this (you'll see I'm also editing the device -- more on that shortly):

config interface 'iot'
        option proto 'none'
        option device 'br-iot'

I'd rename your bridges as follows:

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'eth0.1'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth0.3'

Be sure to fix the names of the networks in the wireless config file.

In the dhcp file, you need to set the lan interface to ignore:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Finally, this AP is expecting both networks (VLAN 1 and VLAN 3) to be tagged on the uplink. This means you need to check to make sure that the corresponding port on the main router has both tagged.

@psherman Thank you!
Just spent the morning on this. I managed to gain access to it from lan after a few hard resets, but something strange is going on. At some point, I lose the ability to access it. At first I thought it was a setting change I was making, but that doesn't seem to be the case.
The last thing I did was successfully download a backup of the settings. Then I tried navigating to another menu and it won't let me connect. SSH says Connection refused
Meanwhile, it's working perfectly as a dumb AP.
I am totally lost, since it goes from allowing me to access it to suddenly not working, without me changing any settings.

Thank you again for all your help!!!

Here are my network and dhcp settings from the backup:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77:0a1b:c144::/48'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5t'
	option vid '1'
	option description 'lan'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '3'
	option description 'iot'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.1.10'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'eth0.1'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.3'
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

From the AP, can you also provide the other config files of relevance:

cat /etc/config/firewall
cat /etc/config/wireless

And on your main router, let's see all of the configs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

AP firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

AP wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '157'
	option band '5g'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '****'
	option encryption 'psk2+ccmp'
	option key '****'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '****'
	option encryption 'psk2+ccmp'
	option key '****'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option network 'iot'
	option mode 'ap'
	option ssid '****'
	option encryption 'psk2+ccmp'
	option key '****'

Router

root@OpenWrt-router:~# ubus call system board
ewall{
        "kernel": "5.15.134",
        "hostname": "OpenWrt-router",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer A7 v5",
        "board_name": "tplink,archer-a7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt-router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:50df:7b5b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '****'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2a07:a8c0::**:****'
        list dns '2a07:a8c1::**:****'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 4 5t'
        option vid '1'
        option description 'lan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        option description 'wan'

config interface 'guest'
        option proto 'static'
        option device 'radio1.network2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        list ipaddr '192.168.3.1/24'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2 3 5t'
        option vid '3'
        option description 'iot'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth0.3'

root@OpenWrt-router:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '48'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option key '****'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '11'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option key '****'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option isolate '1'
        option key '****'
        option network 'guest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2+ccmp'
        option key '****'
        option network 'iot'

root@OpenWrt-router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option mac '****'
        option ip '192.168.1.2'
        option name 'DELL-LAPTOP'
        option dns '1'

config host
        option name 'HOME-ASSISTANT'
        option dns '1'
        option mac '****'
        option ip '192.168.3.3'

config host
        option name 'OBI-200'
        option dns '1'
        option mac '****'
        option ip '192.168.3.4'

root@OpenWrt-router:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'GuestZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config zone
        option name 'IOTZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'IOTZone'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'IOTZone'

config zone
        option name 'KidsZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'KidsZone'
        option dest 'wan'

config redirect
        option dest 'IOTZone'
        option target 'DNAT'
        option name 'Let'\''s Encrypt'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.3.3'
        option dest_port '80'

config redirect
        option dest 'IOTZone'
        option target 'DNAT'
        option name 'Home Assistant'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.3.3'
        option dest_port '8123'
        option reflection_src 'external'
        list reflection_zone 'IOTZone'
        list reflection_zone 'lan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SMTP ****'
        list proto 'tcp'
        option src 'wan'
        option src_dport '465'
        option dest_ip '192.168.1.2'
        option dest_port '465'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'POP3 ****'
        list proto 'tcp'
        option src 'wan'
        option src_dport '1110'
        option dest_ip '192.168.1.2'
        option dest_port '1110'

config rule
        option name 'IOT DNS'
        option src 'IOTZone'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'GuestZone'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IOT DHCP'
        list proto 'udp'
        option src 'IOTZone'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'GuestZone'
        option dest_port '67'
        option target 'ACCEPT'

On the AP, your lan firewall zone is missing the lan network:

It should look like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

THANK YOU!!
I'm an idiot—I set the firewall to unspecified, thinking I had no need for a firewall, but now I realize that it set the default of REJECT on input.
All is good with the world now—thanks again!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.